Yosemite’s FileVault 2 pre-boot recovery options
One of the changes that Apple has introduced with Yosemite is a more straightforward way to recover from login problems at the FileVault 2 pre-boot login screen.
When a FileVault 2-encrypted Mac sits for more than a minute with an account selected at the FileVault 2 pre-boot login screen, a message like the one below should appear:
If you’re having a problem entering your password, press and hold the power button on your Mac to shut it down. Then press it again to start it up in the Recovery OS.
If the instructions are followed, the Mac will boot from the Mac’s recovery partition on the next startup and go into a Reset Password wizard.
In the Reset Password wizard, there are currently three options available.
- I forgot my password
- My password doesn’t work when logging in
- My keyboard isn’t working when typing my password to login
Each option will do different things, so let’s take a look at each. For more details, see below the jump.
I forgot my password
The I forgot my password option is most useful to folks who had chosen the option when enabling FileVault 2 to use their Apple ID to unlock the disk and reset your password.
If the user in question had set up their Apple ID to unlock the disk and reset their password, the following options are available:
A. Log in with your Apple ID
B. The Reset Password wizard will check the locked disk.
C. The Mac will communicate back with Apple to match the Apple ID against the FileVault 2 recovery key that was stored with Apple.
D. You’ll be prompted to reset your account’s password to a new one.
Note: This password reset process is designed to reset the password of a local account. If the password reset process is run against a network account which has been enable for FileVault 2, the password sync may be broken between the network account and the directory service that manages the account.
E. You’ll be notified that your password has been reset and that you can now reboot and log in at the FileVault 2 pre-boot login screen.
If the option of using an Apple ID to unlock the disk and reset passwords had not been chosen, the Reset Password wizard notifies the user that their FileVault recovery key had not stored with Apple and that iCloud FileVault recovery is not available. Instead, the user will need to provide their recovery key at the pre-boot login screen.
My password doesn’t work when logging in
The “My password doesn’t work when logging in” option will provide another option for resetting your password, but it relies on the user actually knowing the correct password or having the password to another FileVault 2-enabled account on the Mac.
If the user has the correct password or the password to another account on the Mac which has been enabled for FileVault 2, selecting the “My password doesn’t work when logging in” option will go through the following process:
A. Asking for a password to unlock the boot volume.
Note: This can be the user’s account password (if known and correct) or the password to another FileVault 2-enabled account on the Mac.
B. Select the relevant account.
Note: This password reset process is designed to reset the password of a local account. If the password reset process is run against a network account which has been enable for FileVault 2, the password sync may be broken between the network account and the directory service that manages the account.
C. Enter and verify a new password.
D. You’ll be notified that your password has been reset and that you can now reboot and log in at the FileVault 2 pre-boot login screen.
My keyboard isn’t working when typing my password to login
The “My keyboard isn’t working when typing my password to login” option will provide the option of decrypting your FileVault 2 encrypted Mac. If the user has their account password or the password to another FileVault 2-enabled account on the Mac, selecting the “My keyboard isn’t working when typing my password to login” option will go through the following process:
A. Asking for a password to disable the FileVault 2 encryption on the boot volume.
Note: This can be the user’s account password (if known and correct) or the password to another FileVault 2-enabled account on the Mac.
B. You’ll be notified that the boot volume has been decrypted and that you can now reboot and log in without being stopped at the FileVault 2 pre-boot login screen.
One thing to be aware of is that the decryption process has only been initiated. Decryption will proceed once the Mac has been booted from a drive that is running a regular installation of Yosemite.
Leave a Reply
Recent Comments
 | Virgilio Fornazin on Setting up ESXi 6.0 on a 2012… |
| Virgilio Fornazin on Setting up ESXi 6.0 on a 2012… |
 | cjace on Microsoft Lync keychain passwo… |
 | fred.johnse on Downloading Apple’s Serv… |
 | Scott Simmons on Deploying Sophos Enterprise An… |
I got the “Forget Password” screen after a crash, and I couldn’t get out of it.
I put in my Key and it started to Decrypt the hard drive, which was going to take 2 hours, I tried to cancel it, but couldn’t. I then rebooted, and the Mac got stuck halfway starting up. That was it, I was hosed. Luckily I had backed up fairly recently. I just don’t know why it forced me to put in the password.
i find that just restarting the machine and resetting PRAM brings you back to the normal boot screen.
This gives me heartburn from an Enterprise/Security standpoint. Not that it couldn’t be done without Apple providing the instructions, but still… essentially defeats the purpose of encryption for us.
@Taylor Armstrong: I don’t understand why this gives you heartburn.
Before Yosemite one could store the recovery key at apple (needed 3 security questions). All that changed is that the recovery key is now stored at iCloud, and apple added a tool to grab the recovery key from iCloud for you (instead of calling Apple, answering the 3 security questions, typing in the recovery key)
Apple is smart enough to design FileVault2 as really safe as on previous versions of OS X.
I am not sure what the Institutional FileVault keys do at Yosemite. I hope they will work similarly as in Mavericks, so NOWHERE storing user’s recovery keys, JUST the institutional keys to recover data in case a user is stupid enough to forget his password.
(how can you, when you have to type it every time you boot or wake the computer?)
See https://derflounder.wordpress.com/2015/02/02/managing-yosemites-filevault-2-with-fdesetup/ with lots of details.
hi! Im locked out of my mac for three days since i forgot my password. Been doing the recovery os and reset password but not successful. When i reset it using my apple id it says i am unable to connect to icloud and need to verify my internet connection (it is connected — have an iPhone that is connected to the same network). In the recovery part i dont see my mac hd to choose from after typing ‘reset password’ on the terminal disk utility screen. I need help. Thanks.
@Clairemd: In one test with the FileVault recovery keys stored at iCloud, I found that you had to do the two steps after each other:
1-first procedure “i Forgot My Password”
(note that at the end the wizard notes: ‘You can now unlock the disk with your new password”, not ‘you can log in with your new password’)
2-Then you have to reset the user’s login password, using the procedure “My password doesn’t work when logging in”. In this procedure you type the (just resetted at step 1 , new) password to unlock the disk. Then reset the user’s password to the new password.
I found this confusing that procedure 1 does not do the second step, but it seemed to be the only way. Maybe my test had some bugs, or I entered a wrong password, but maybe my tips will help you to unlock your disk AND user login.
Tip : it is smart to use the same new password in step 2, to make sure they are in sync, otherwise you always have to type two passwords, one at boot time to unlock the disk, and one at login time to log in as the user
thanks for the info, I forget my firevault password, and I enter my iCloud account and enter to my mac eassy
Thanks for the tips! I have a strange problem with my wife’s File Vault 2-enabled Mac mini. I have to take it to work to download updates as we have limited internet bandwidth at home. Every time I take it to work and download updates, when I get back home I have to go through a password reset. It never gives me an account to log into–it shows a progress bar for a few minutes, then goes straight to password reset (it gives three options: your password doesn’t work; you forgot your password; your keyboard doesn’t enter your password). Once I reset the password, the mini starts up normally and goes through an endless loop of requesting the iCloud password until I press cancel. Then everything works okay until once again I have to unplug and take the mini in to work. Any ideas?
I try to do this with my iCloud password but always told me that there is an error communicating with iCloud
Unable to connect to iCloud. Please verify your internet connection. It says that, but i do have a very good internet connection!!!
since my problem is
“my keyboard isn’t working when typing my password to log in”
how am I able to input my password, on my keyboard, to disable fire vault!
This is a mess, I was out of the office and came back to a now encrpyted mac where I’ve never set this file vault BS up. Never associated my icloud because this is my work laptop and the local admin password is not working. Just a mess like when someone enters their icloud ID into an iphone and then gets fired, the phone is then worthless. Apple will always be a single user / home user device with the trend of personal emails and icloud leading their configuration requirements.